[twoquestions]

One question I have along with the very good question from the OP, do larger companies and governments actually care about security, or are they more interested in doing the proper dance and checking the right boxes to not be held responsible when they're hacked?

It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.

[wepple]

It’s a spectrum. There are companies that absolutely care with every fiber of their being, and those that couldn’t care less.

Now that “cyber” is a thing that can lead to a CEO losing their head, most companies are roughly in the middle somewhere. Sure, there will be a fall-guy and finger pointing, but it’s better to at least not be completely negligent.

“If the risk can be transferred to other parties” - that’s pontentially a business avenue OP wants to pursue. AcmeCorp can buy OPs shiny datascienceDefender(tm) network monitor.

A lot of tech-first companies (and don’t forget, some legacy companies are desperately trying to become these) care a massive amount about security, so there is definitely volume of work with people who genuinely want to improve the state.

[bourgoin]

If the incentive systems are designed correctly, maybe the dancing and box-checking can result in a near-optimal state. I think most of us here share the notion that hardening systems up-front is the most cost-effective way in the long run, but that companies tend not to do so due to a myopic view of security as a short-term expense rather than a long-term investment.

I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.